#!/bin/bash
##################################################################
# Copyright (C) 2008 - Jon Agland			    	 #
#								 #
# This program is free software; you can redistribute it and/or  #        
# modify it under the terms of the GNU General Public License    #        
# as published by the Free Software Foundation; either version 2 #        
# of the License, or (at your option) any later version.         #        
#								 #
# This program is distributed in the hope that it will be useful,#        
# but WITHOUT ANY WARRANTY; without even the implied warranty of #        
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the  #        
# GNU General Public License for more details.                   #         
##################################################################
# ---------------------------------------------------------------
# IMPORTANT NOTE: This version has *not* been extensively tested.
# ---------------------------------------------------------------
# Name: sa-phish-gen
# Version: 1.0
# Description: This script (sa-phish-gen) is intended to parse the list from
# the anti-phishinge-email-reply project into a SpamAssassin config file (.cf)
# See http://code.google.com/p/anti-phishing-email-reply/
# Usage: ./sa-phish-gen <filename>  
# Example usage:./sa-phish-gen phishing_reply_addresses > sa-phish.cf

###################################################################
# Adjust these values to your own desire. They are set *very* high.
#
ONEDAYSCORE="1000"
ONEWEEKSCORE="500"
ONEMONTHSCORE="200"
THREEMONTHSCORE="100"
SIXMONTHSCORE="50"
ONEYEARSCORE="20"
# This score should only get used for over 1 year old.
BASESCORE="10"

mailaddrreg() {
	# Convert e-mail address from me@domain.com to me\@domain\.com
       saaddr=$(echo $addr | sed s/'\.'/'\\.'/g | sed s/'\@'/'\\@'/g)
       }

createreplytotest() {
	mailaddrreg;
	# This should deal with those with a Reply-To or other header
	# containing the listed e-mail address
	# Results containing the Type A
	echo "header SA_PHISH_GEN_A_$value reply-to =~ /$saaddr/i" 
	echo "score SA_PHISH_GEN_A_$value $score"
	echo "describe SA_PHISH_GEN_A_$value $addr is listed in http://code.google.com/p/anti-phishing-email-reply" 
        }

createfromtest() {
       mailaddrreg;
       # This should deal with those with a From header
       # containing the listed e-mail address
       # Results containing the Type B
	echo "header SA_PHISH_GEN_B_$value From =~ /$saaddr/i" 
	echo "score SA_PHISH_GEN_B_$value $score" 
	echo "describe SA_PHISH_GEN_B_$value $addr is listed in http://code.google.com/p/anti-phishing-email-reply" 
        }

createbodytest() {
       mailaddrreg;
       # This should deal with those with the content/body
       # containing the list e-mail address
       # Results containing the Type C
       echo "body SA_PHISH_GEN_C_$value /\b$saaddr\b/i" 
       echo "score SA_PHISH_GEN_C_$value $score" 
       echo "describe SA_PHISH_GEN_C_$value $addr is listed in http://code.google.com/p/anti-phishing-email-reply" 
        }
# This function uses the Last Seen date to determine a score.
datescorer() {
	# Takes the date from the list and converts it to EPOCH/Unix time
        thedate=`echo $line | awk -F\, '{print $3}'`
        dateinepoch=`date --date=$thedate +%s`
	# Todays date in EPOCH/Unix time
        todaydate=`date +%s`
	# Some definitions of - very rough.
        oneday=$(($todaydate - 86400))
        oneweek=$(($todaydate - (7*86400)))
        onemonth=$(($todaydate - (28*86400)))
        threemonth=$(($todaydate - (72*86400)))
        sixmonth=$(($todaydate - (182*86400)))
        oneyear=$(($todaydate - (365*86400)))
	# Set the Base score
	# Anything over year should get this score.
        score=$BASESCORE
	# Now check if the listed date is greater than than
	# One year ago.
        if [ $dateinepoch -ge $oneyear ]; then
        score=$ONEYEARSCORE
        fi
	# Six Months ago..
        if [ $dateinepoch -ge $sixmonth ]; then
        score=$SIXMONTHSCORE
        fi
        if [ $dateinepoch -ge $threemonth ]; then
        score=$THREEMONTHSCORE
        fi
        if [ $dateinepoch -ge $onemonth ]; then
        score=$ONEMONTHSCORE
	fi
        if [ $dateinepoch -ge $oneweek ]; then
        score=$ONEWEEKSCORE
        fi
	# One day ago...
        if [ $dateinepoch -ge $oneday ]; then
        score=$ONEDAYSCORE
        fi
        }

# Main body of code.

exec<$1

value=0
while read line
do
	# 2nd Column - Type
	commentcheck=`echo $line | cut -b1`;
	if [ "$commentcheck" != "#" ] 
	then
	# Loop count because we don't need to count comments! :)
	value=`expr $value + 1`;
        type=`echo $line | awk -F\, '{print $2}'`;
	# 1st Column - E-mail address
        addr=`echo $line | awk -F\, '{print $1}'`;
	# Call scoring function
        datescorer;

	# This choose what lines we create
	# in somone instances we create more than one
        # We don't really have a test for D (obfuscated in body)
	case "$type" in A)
        createreplytotest;
        ;;
	B)
        createfromtest;
        ;;
        C)
        createbodytest;
        ;;
        D)
        createbodytest;
        ;;
        AB)
        createreplytotest;
        createfromtest;
        ;;
	AC)
	createreplytotest;
	createbodytest;
	;;
	AD)
	createreplytotest;
	createbodytest;
	;;
        ABC)
        createreplytotest;
        createfromtest;
        createbodytest;
        ;;
        ABCD)
	createreplytotest;
        createfromtest;
        createbodytest;
        ;;
        BC)
        createfromtest;
        createbodytest;
        ;;
        BCD)
        createfromtest;
        createbodytest;
        ;;
        CD)
        createbodytest;
        ;;
        esac
	fi
done



